I manage an Active Directory domain that is in a lab used for replication. Our domain has a one-way trust with our corporate domain so that some applications can use the corporate credentials to authenticate users, and we don't have to manage multiple accounts per user.

I just found out today that any user account on our corporate domain is able to join a computer to our replication lab domain. So, our users will create a machine, try to join it to our domain (something we do NOT want them doing), and enter their corporate domain credentials, and they're successful.

To my knowledge, no such rights have been delegated. I have looked in ADUC and don't see any groups with the "Create Computer objects" permission that shouldn't have it. The groups that have this permission are the typical Domain Admins, Administrators, Enterprise Admins, a couple of Exchange-related groups, etc. The only group that has ANY rights on the "Computers" object (the one new computer accounts are created in by default) that I figured our corporate accounts might fall under is "Authenticated Users." However, that group does NOT have the right to create computer objects.

I have enabled auditing of the creation of computer accounts, and I found an event 4741 showing that a computer account was successfully created using my corporate domain credentials. I can't figure out what is going on here.

How can I resolve this? I'm not sure where else to look or how to further troubleshoot. Thanks in advance for any assistance!

Thank you very much for your reply. I will try this out shortly. I'm curious, though, why this permission isn't reflected when you look at the advanced permissions on the "Computers" folder in ADUC or even at the root of the domain. Is this just inherent?

it is, it is not a specific granted permission, it is a default feature. it was implemented back in server 2000. The fact that it is not a granted permission through the normal avenues is why you have to use adsiedit to change the DC property. it was thought to be a ease of use feature but if your environment is locked down then it is more of a headache. To be honest though most orgs don't have users that would attempt to join the domain with their credentials. My users don't even know what domain they are in much less anything else. our communicator said to enter username Example Domain\Username

one user kept trying to enter Domain\bsmith wondering why it didn't work :)